<div dir="ltr">I should clarify the the default for ssl_protocols is fine, to my environment since we need to support SSLv3, if you don't I suggest make it safer:<div>ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br></div><div>
<br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 15, 2014 at 2:31 PM, Miguel Clara <span dir="ltr"><<a href="mailto:miguelmclara@gmail.com" target="_blank">miguelmclara@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br>I have an nginx 1.5 install where I don't set the ssl_protocols, because, the defaults are fine:<br>
---> "Since versions 1.1.13 and 1.0.12, nginx uses “ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2” by default."<br>
</div><div><br></div><div><br></div><div>This is what I have find to be the best for ciphers, SSLLABS seems to like it, I would even set !RC4, but we need to still support it in this specific server.</div><div><br></div>
<div>
<br></div><div><div> # ciphers</div><div> ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";</div>
<div><br></div><div><br></div></div><div><div class="h5"><div><br></div><div><div><br></div></div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 15, 2014 at 1:31 PM, Nemesiz <span dir="ltr"><<a href="mailto:nginx-forum@nginx.us" target="_blank">nginx-forum@nginx.us</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hello<br>
<br>
I`m struggling with enabling tls1.1 and tls1.2. Some info:<br>
<br>
NGINX:<br>
<br>
# nginx -V<br>
nginx version: nginx/1.5.13<br>
built by gcc 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu9)<br>
TLS SNI support enabled<br>
configure arguments: --prefix=/usr/local/nginx/1.5.13<br>
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log<br>
--http-client-body-temp-path=/var/lib/nginx/body<br>
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi<br>
--http-log-path=/var/log/nginx/access.log<br>
--http-proxy-temp-path=/var/lib/nginx/proxy<br>
--http-scgi-temp-path=/var/lib/nginx/scgi<br>
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock<br>
--pid-path=/run/nginx.pid --with-pcre-jit --with-debug<br>
--with-http_addition_module --with-http_auth_request_module<br>
--with-http_dav_module --with-http_geoip_module<br>
--with-http_gzip_static_module --with-http_image_filter_module<br>
--with-http_realip_module --with-http_spdy_module --with-http_ssl_module<br>
--with-http_stub_status_module --with-http_sub_module<br>
--with-http_xslt_module --with-ipv6<br>
--add-module=/usr/src/nginx-modules/nginx-openssl-version<br>
--add-module=/usr/src/nginx-modules/testcookie-nginx-module<br>
--with-pcre=/usr/src/nginx-modules/pcre-8.35<br>
--with-openssl=/usr/src/nginx-modules/openssl-1.0.1g<br>
<br>
SSL settings:<br>
<br>
ssl_session_cache shared:SSL:50m;<br>
ssl_session_timeout 5m;<br>
ssl_dhparam /etc/nginx/ssl/dhparam.pem;<br>
ssl_prefer_server_ciphers on;<br>
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;<br>
ssl_ciphers<br>
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';<br>
add_header Strict-Transport-Security "max-age=31536000;<br>
includeSubdomains;";<br>
<br>
<br>
<a href="https://www.ssllabs.com/ssltest/" target="_blank">https://www.ssllabs.com/ssltest/</a> results:<br>
<br>
Protocols<br>
TLS 1.2 No<br>
TLS 1.1 No<br>
TLS 1.0 Yes<br>
SSL 3 Yes<br>
SSL 2 No<br>
<br>
Any hint ?<br>
<br>
Posted at Nginx Forum: <a href="http://forum.nginx.org/read.php?2,249305,249305#msg-249305" target="_blank">http://forum.nginx.org/read.php?2,249305,249305#msg-249305</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>